I know this gets asked quite a bit, but my current network contains a Cisco ASA 5510. The network is as below. We are looking to possibly deploy an ISA server into our environment for the reverse web proxy features, to protect our public web sites and OWA and possibly a future SharePoint deployment.
Internet router | ASA -- DMZ 10.10.30.x | Internal LAN 192.168.0.x
What would be the best way to deploy ISA. Should we do a unihomed setup in the DMZ or place one NIC in the DMZ and one NIC on the internal LAN and then move the public servers to the internal LAN.
The best setup, and the one that will create the fewest issues, is to put the ISA firewall on the edge with the ASA. The firewall was designed to be an edge firewall, so there are no security implications, plus you can also take advantage of the ISA firewall's superior outbound access control if you like.
Correct. The ISA firewall would exist side by side with the ASA, so the external interface of the ISA firewall is plugged into the router, another NIC into the DMZ, and another NIC into the intenral network.
Thanks to both of you for your suggestions, I will keep them in mind if we end up moving forward with this project. However if we were to set it up as a backend firewall, I would assume for every rule created on the ASA the same rule would have to be created on the ISA?
Don't you thing that putting the ISA firewall on the edge, in parallel with the ASA would be easier to manage? That way, you don't expose the ISA firewall to ASA issues.
Easier, but not necessarily better
Why not better? the ISA firewall can easily be deployed on the edge, when the inevitable troubleshooting issues come up you don't need to deal with the ASA issues, and you can advantage of the full ISA firewall feature set while not having to accomodate complications and limitations introducted by the ASA.
From: United Kingdom
I like multi-tier designs that follow some form of defense in depth philosophy. The front firewall is a good place to offload a lot of "noise" and also utilise a device that is very good at static NAT functionality in addition to S2S VPN termination...as you are aware (I was trying to avoid name and shame ) ISA ain't that great when it comes to NAT flexibility and S2S VPN is a little behind some of the competition (AES anyone?).
I think ISA is fab (as you know) but I don't see why it can't be combined with other solutions so that they complement each other. As good as ISA is, it still isn't a complete one stop shop (yet) IMHO and I like to let a good network firewall look after networks and a good application firewall look after applications. I think TMG will further close this gap and my view may change at this time...
If you want simple, yep, ISA on it's own provides an awful lot of value, but why not merge technologies to raise the bar even further?
I think Jason has a good point here with the NAT and s2s stuff. Also may help if the front firewall can handle multiple Internet connections in certain scenarios. Having the back to back model, we can expose the site-to-site traffic to ISA's firewall inspection, which we cannot directly do with the parallel model, unless we control or own the remote office. And it may add a little bit in terms of DoS if the front firewall can SYN-proxy for the published servers(which ISA does only for protocols that have an application filter), assuming the SYN-proxy thing does not break communications, while still having ISA inline in the back closed to the xorp ner(a thing that I suspect we all like).
I also think that Tom has a good point too, the parallel approach can be better if SIP is involved, or maybe if we need to pass OSPF over the VPN tunnel.
IMHO, AES is just a tiny problem in respect with site-to-site VPNs. Anyway, the way the others use it in the past and now, does not automatically give them more "confidentiality" over 3DES(unless 3DES has or will have a serious flaw-for the moment not-), and Microsoft knows that, they waited to bring inline with AES' strength the "rest" of the pieces(AES is present on TMG for VPN). If they(Microsoft) focus only on AES, they are wrong, deeply wrong. Their implementation of IPsec tunnel mode with ISA is rather broken(well, somebody had to say it, don't shoot me). In certain cases we are more secure using pre-shared keys than authenticating with certificates(my oh my...). There is a basic and simple thing with IPsec tunnel mode, we specify the local subnet and remote subnet, so I'm not sure how this went wrong..., there are many cases when we do not want/need to specify the entire Internal Network as local subnet. A proper IPsec tunnel mode implementation is critical in order to have a robust and powerful VPN gateway, otherwise the site-to-site scenarios and posibilities would be limited.
< Message edited by adimcev -- 19.Nov.2008 5:23:42 PM >
From: United Kingdom
I was being kind by only mentioning AES
As I said, TMG will probably solve some of these issues and hopefully bring ISA closer to the "all encompassing edge product" it strives to be...I still think there will always be a place for defence in depth with complimentary solutions though, but maybe that's just me